Project

General

Profile

[Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy

Added by Christophe D. almost 3 years ago

Hello,

First of all, let me share a few information regarding the context:
  • The OS:
    # hostnamectl | grep -i system
      Operating System: CentOS Linux 7 (Core)
    
  • Prewikka was installed with the package manager (yum):
    # rpm -qa | grep -i prewik
    prewikka-5.2.0-4.el7.x86_64
    python2-prewikka-5.2.0-4.el7.x86_64
    
  • How Prewikka is started using the systemd service script:
    # grep -i execstart /usr/lib/systemd/system/prewikka.service
    ExecStart=/usr/sbin/prewikka-httpd -a 127.0.0.1
    
  • Apache version:
    # httpd -v | grep -i version
    Server version: Apache/2.4.6 (CentOS)
    
  • Apache configuration file for Prewikka:
    # cat /etc/httpd/conf.d/prewikka.conf 
    <VirtualHost *:80>
        ServerName xxxxxxxxxxxxx
        DocumentRoot/var/www/html/
        RewriteEngineOn
        RewriteCond%{HTTPS} !=on
        RewriteRule^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
    </VirtualHost>
    
    <VirtualHost *:443>
        ServerName xxxxxxxxxxxxx
        DocumentRoot /var/www/html
        Header always edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure" 
        Header onsuccess edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure" 
        ProxyPass / http://127.0.0.1:8000/
        ProxyPassReverse / http://127.0.0.1:8000/
        ProxyPreserveHost Off
        ProxyRequests Off
        ProxyTimeout 600
        RequestHeader set Origin "127.0.0.1:8000" 
        RequestHeader set Host "127.0.0.1:8000" 
        RequestHeader set X-Forwarded-Proto "https" 
        RequestHeader set Referer "" 
        SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
        SSLCertificateKeyFile /etc/ssl/certs/apache-selfsigned.key
        SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20
        -POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        SSLCompression Off
        SSLEngine On
        SSLHonorCipherOrder On
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        Timeout 360
        UseCanonicalName on
    </VirtualHost>
    

Now, when I access Prewikka using https://xxxxxxxxxxxxx, using the TLS termination reverse proxy installed and configured locally (ie. on the same machine as Prewikka), I get the below error message for some actions:

Error: Origin check failed
Details:
except Exception as err: raise autherr or err if view_object.view_require_session and autherr:
/usr/lib/python2.7/site-packages/prewikka/main.py, line 285:
raise autherr or err
/usr/lib/python2.7/site-packages/prewikka/main.py, line 301:
response = self._process_static(webreq) or self._process_dynamic(webreq)

The actions are, for instance:
  • Update the password of an existing user
  • Create a new user
  • Change the period of the alerts I would like to display

I tried with Apache configured without TLS and I did not get this error. Any idea?

Thank you in advance for your help.

Regards,


Replies (5)

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Francois POIROTTE almost 3 years ago

Hello,

Prewikka uses cookies bound to the application's host/path to prevent Cross-Site Request Forgery (CSRF) attacks.
Apache does not rewrite the cookies in HTTP requests/responses by default, hence the error.
See the ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath options inside Apache's documentation for more information on how to rewrite the cookies' host & path.

In addition, you should not set headers manually as it may interfere with functionalities of the HTTP protocol or your Internet browser (e.g. CORS).

Best regards,
François

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. almost 3 years ago

Thank you François. I will try that and keep you posted.

Regards,

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. almost 3 years ago

Hello,

Tested (ie. ProxyPassReverseCookieDomain & ProxyPassReverseCookiePath) but unsuccessful. As stated in my previous message, I do not get this error when I use the same setup but without the TLS configured on the Apache reverse proxy.

Any idea is welcome.

Regards,

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Francois POIROTTE almost 3 years ago

Hello,

I finally had time to test a similar setup (with nginx).
From my investigation, when prewikka-httpd is used to run Prewikka, the application only sees the request made to prewikka-httpd and uses that to check the requests' origin. That is to say, it is not meant to be run through a reverse proxy.

I see two possible solutions:
  1. Do not run prewikka-httpd behind a reverse proxy.
    • You could either expose prewikka-httpd directly (it supports TLS certificates through the --key and --cert option), though I would recommend against it for performance reasons.
    • Instead, you could also run Prewikka through mod_wsgi. This is usually the recommended approach. See this page for more information.
  2. If you really want to use prewikka-httpd with a reverse proxy, you will need to rewrite the original Origin and Referer HTTP headers to match the origin expected by Prewikka, but only when the original value matches the expected value/prefix (this is necessary to prevent potential security issues). For nginx, this can be done with a configuration similar to the following inside a location block:
                    set $new_origin $http_origin;
                    if ($http_origin = "https://prelude.example.com") {
                            set $new_origin "http://127.0.0.1:8000";
                    }
                    proxy_set_header        Origin          $new_origin;
    
                    set $new_referer $http_referer;
                    if ($http_referer ~ "^https://prelude\.example\.com(.*)$") {
                            set $new_referer "http://127.0.0.1:8000$1";
                    }
                    proxy_set_header        Referer         $new_referer;
    
    In this example, nginx is listening for HTTPS requests on the vhost prelude.example.com, while prewikka-httpd is listening for HTTP requests on 127.0.0.1:8000. I think a similar configuration can be defined for Apache:
    # This requires mod_headers
    RequestHeader edit* Origin "^https://prelude\.example\.com" "http://127.0.0.1:8000" 
    RequestHeader edit* Referer "^https://prelude\.example\.com" "http://127.0.0.1:8000" 
    

Best regards,
François

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. almost 3 years ago

Hello and thank you François. I will keep you posted.

Regards,

    (1-5/5)